How to extract xml value having multiple same chil...

Vkeshar · ‎09-09-2022

I have following sample XML event where I want to extract specific value for a child tag . Ex when <Order fact> value is 'Place' then extract <Orderupdatevalue> which is false

<OrderUpdateField>
<OrderFacts>Place</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>False</OrderUpdateValue>
<OrderFacts>Number</OrderFacts>
<OrderDataType>Integer</OrderDataType>
<OrderUpdateValue>1</OrderUpdateValue>
<OrderFacts>Location</OrderFacts>
<OrderDataType>String</OrderDataType>
<OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>

kamlesh_vaghela · ‎09-26-2022

@Vkeshar

It looks like you need the first value from multivalued data.

Can you please try this?

YOUR_SEARCH | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

My Sample Search :

| makeresults | eval _raw="<OrderUpdateField>
     <OrderFacts>Place</OrderFacts>
     <OrderDataType>String</OrderDataType>
      <OrderUpdateValue>False</OrderUpdateValue>
     <OrderFacts>Number</OrderFacts>
     <OrderDataType>Integer</OrderDataType>
     <OrderUpdateValue>1</OrderUpdateValue>
     <OrderFacts>Location</OrderFacts>
    <OrderDataType>String</OrderDataType>
    <OrderUpdateValue>Earth</OrderUpdateValue>
</OrderUpdateField>" | spath
| eval OrderFacts=mvindex('OrderUpdateField.OrderFacts',0), OrderUpdateValue=mvindex('OrderUpdateField.OrderUpdateValue',0)
| table OrderFacts OrderUpdateValue

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How to extract xml value having multiple same child tag?

XML

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to extract xml value having multiple same child tag?

XML

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem